Entry...............: Beol`96
Alias(es)...........: Beol-4, Beol-Poly
Virus Strain........: -
Virus detected when.: August 1996
              where.: Germany, USA, ISRAEL, UK and Netherlands
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 2000 Bytes
                      (uses a highly polymorphic engine)
                      2. Length in RAM:                    3000 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: -

Type of infection...: Self-identification method in files:

                      - uses a bug in BSTR routine from filecomment() for
                        the stealth routine

                      Self-identification method in memory:

                      - none

                      System infection:

                      -  WaitPKT entry of the DOS processes. This pointer
                         will be normally not used and is set to zero.
                         The idea behind this pointer is a replacement
                         for the standart WaitPkt routine from the OS. In
                         other words: The programmer of this virus made
                         a compatible code to WaitPkt().

                      Infection preconditions:

                       - HUNK_HEADER is found
                       - device is validated

Infection Trigger...: The infection is based on the packet handling
                      system of AMIGA OS. Every started file will be
                      infected. All synchron dos commands are affected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - crypts first word in the first original hunk.
                        So we have to decrypt the whole virus to get the
                        original longword for the decryption code.

Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - infecting a file

Particularities.....: The crypt/decrypt routines are aware of processor
                      caches. The cryptroutine are highly polymorphic (level4)
                      and consists of some logical stuff. The packet handling
                      works in even on the new developer OS versions and
                      uses the extended packet commands from AMIGA OS.

                      The virus is incompatible to the new versions of EXEC,
                      as it uses some commands only legal in V37-V41 versions
                      of the task handling.

                      The virus tunnels doscall watcher like SnoopDos etc. by
                      using only lowlevel packet routines.
Similarities........: The link method is the normal "hunk 1 add" method
                      invented by IRQ Team V41. The way of infecting the
                      system is comparable to the first both BEOL linkviruses.

Stealth.............: FIRST working directory stealth code in a virus. It
                      uses a trick with the filecomment to mark the files,
                      which has to be shown as uninfected.

                      - The way of storing the original values is at the
                        moment UNKNOWN -

                      The stealth engine is a so called Directory stealth
                      system. It catches the list calls and give the system
                      the uninfected length of the files back. If such a
                      file will be loaded into an editor, the infected
                      file is in the buffer. The most modern PC viruses are
                      one step ahead and give even the editor the original
                      file (N8ghtFall = Wedding).

Armouring...........: The virus is heavily armoured with a random layered
                      polymorphic decryptor. The decryptor activates all x
                      layer decryptors in a row and uses always different
                      logical stuff. The virus uses antidebugging and anti-
                      heuristik stuff to irritate the analyser. The most
                      operations will be done using the stack. The headers
                      have always a different length, the only solid state
                      command is a "movem.l d0-d7/a0-a6,-(sp) = $48e7fffe"
                      at the beginning of the hunk. Internally the virus
                      uses the StackBase trick (bsr xx, Jumptable,xx: pop a0)
                      to irritate the analysers.

                      Some parts of the code will be manipulated online (data
                      reuse) and the polymorphic engine will be created in
                      a stack area. This function refuses to work properly in
                      a testsuite.

                      The crypt routine can be seen as "state of the art"
                      on AMIGA systems at the moment. The level 4 polymorphic
                      header makes it nearly impossible to recognize this
                      virus by a normal recognition. It`s not possible to
                      use any RAID technology (see HitchHiker3) to decode
                      the mainblock of the virus.

                      We are now doing a heuristik recognition using some
                      characteristics of the virus and then start the whole
                      emulation process to recognize the virus by name.

Comments............: Maybe the first virus, which makes it necessary to do
                      a complete CPU emulation. The first working CPU emul.
                      was used to decrypt the Cryptic Essence linkvirus by
                      VirusWorkshop. Other good viruskillers like VT and VZ
                      used the original decrunchcode in their repaircodes.

                      SYSTEMS WITH A 68020 OR HIGHER PROCESSOR.

--------------------- Agents -------------------------------------------

Countermeasures.....: VZ 1.34, VT 2.89 and VW 6.3
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 18.09.1996.
Classification by...: Georg Hoermann and Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Sep, 18. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of Beol`96 Virus =========================

[Go back]